Playbooks
T1078Insider Threat Response Playbook
A structured playbook for detecting, triaging, investigating, and responding to insider threats — from negligent insiders and credential theft to malicious data exfiltration by trusted employees.
View on Graph
What This Playbook Covers
- This playbook handles confirmed or suspected insider threat activity. “Insider threat” covers three distinct scenarios, each with different detection signals and response procedures
- It does not cover external attackers who have compromised an insider account — that is credential theft response. The distinction matters because the remediation is different
Insider Threat Types
| Type | Description | Motivation | Typical Indicators |
|---|---|---|---|
| Malicious insider | Employee or contractor deliberately stealing data, sabotaging systems, or abusing access | Financial gain, revenge, ideology, competitive advantage | Large data transfers, unusual access patterns, privilege escalation |
| Negligent insider | User who violates policy through carelessness — sharing credentials, falling for phishing, misconfiguring systems | Convenience, lack of awareness, time pressure | Credential sharing, shadow IT, policy violations |
| Compromised insider | Legitimate user whose credentials are stolen by an external attacker | External actor | Anomalous authentication, impossible travel, lateral movement |
Phase 0: Determine the Insider Threat Type (0-15 minutes)
Before executing response actions, classify the incident. The wrong classification leads to the wrong response.
Malicious Insider Indicators
| Indicator | What to Check | Confidence |
|---|---|---|
| Mass file access/download | File server logs, DLP alerts — hundreds or thousands of files accessed in a short window | High |
| External data transfer | DLP alerts, email logs, web proxy — data sent to personal email, cloud storage, or USB | High |
| Privilege escalation | Event ID 4728, 4732 — user added themselves or a colleague to a privileged group | High |
| Unusual work hours | Authentication logs, badge access — activity at 2 AM from someone who normally works 9-5 | Medium |
| Job dissatisfaction signals | HR data — recent resignation, poor performance review, policy violation warnings | Contextual |
| Data deletion/destruction | File audit logs, volume shadow copy deletion — deliberate destruction of evidence | Critical |
SPL query — detect mass file access:
index=fileserver Operation=Read OR Operation=Access
| stats count by UserName, SourceFile, _time
| eventstats dc(SourceFile) as UniqueFiles by UserName, date_hour
| where UniqueFiles > 500
| eval alert = "HIGH — " . UserName . " accessed " . UniqueFiles . " unique files in one hour — potential data staging"
| table _time, UserName, UniqueFiles, alert
| sort - UniqueFilesNegligent Insider Indicators
| Indicator | What to Check | Confidence |
|---|---|---|
| Credential sharing | Repeated failed logins from multiple IPs, then successful logon — shared password | Medium |
| Phishing susceptibility | Multiple phishing simulation failures; reported malicious emails without clicking | Medium |
| Shadow IT usage | Web proxy logs — unsanctioned cloud services, personal file sharing | Medium |
| Policy violation | HR records — previous warnings about data handling or equipment use | Contextual |
Compromised Insider Indicators
| Indicator | What to Check | Confidence |
|---|---|---|
| Impossible travel | Authentication logs — logon from US and Asia within 30 minutes | High |
| Anomalous location | Authentication logs — logon from a country the user has never visited | High |
| New device registration | MFA logs — new device or new browser registered | Medium |
| Anomalous behavior | User behavior analytics (UBA) — sudden change in access pattern | Medium |
If impossible travel or anomalous authentication is present, this is a compromised insider — escalate to credential theft response.
Phase 1: Immediate Containment (15-30 minutes)
Critical Actions — Do These First
For malicious insider:
- Do NOT alert the user — notifying the user may trigger data destruction, evidence deletion, or escalation. Work quietly with legal and HR.
- Disable network access — block the user’s workstation at the switch level or via NAC
- Revoke VPN access — prevent remote access
- Disable the user account —
Disable-ADAccount -Identity "UserName"— but only after confirming HR or legal approval - Block external data transfers — enable restrictive DLP policies for all data from that user’s systems
- Disable USB ports — if the user is still onsite, disable removable media access via Group Policy
For negligent insider:
- Notify the user’s manager — negligent insiders require education, not containment
- Revoke temporary access — if the user shared credentials, reset passwords and require MFA re-enrollment
- Reschedule phishing training — if the user fell for a phishing simulation, assign remediation training
For compromised insider:
- Reset the user’s password —
Set-ADAccountPassword -Identity "UserName" -Reset - Revoke all session tokens — sign out of all active sessions (Azure AD, O365, VPN)
- Disable MFA tokens — de-register all MFA devices and require re-registration
- Isolate the user’s workstation — disconnect from the network for forensic imaging
What NOT to Do
| Action | Why It’s Dangerous |
|---|---|
| Confront the user immediately (malicious) | May trigger data destruction or escalation. Legal and HR must be involved first. |
| Assume every insider threat is malicious | Negligent and compromised insiders need different responses. |
| Fire the user before forensic preservation | Termination without evidence preservation destroys the case. |
| Notify the user’s team | Word spreads quickly, potentially alerting the user or destroying the investigation. |
| Restore from backup without investigation | Destroys evidence of the compromise timeline. |
Phase 2: Evidence Preservation (30-60 minutes)
Evidence Collection by Type
| Evidence | Malicious Insider | Negligent Insider | Compromised Insider |
|---|---|---|---|
| User workstation memory | ✅ Critical — contains active sessions, encryption keys | ❌ Not needed | ✅ Critical |
| File server access logs | ✅ Critical — shows data accessed | ✅ Helpful | ✅ Critical |
| Email and collaboration logs | ✅ Shows data exfiltration attempts | ✅ Shows policy violations | ✅ Shows attacker communication |
| Web proxy logs | ✅ Shows data upload destinations | ✅ Shows shadow IT | ✅ Shows C2 or data exfiltration |
| VPN and remote access logs | ✅ Helps determine scope | ❌ Not needed | ✅ Critical |
| Badge access logs | ✅ Correlates physical presence with digital activity | ❌ Not needed | ❌ Not needed |
| HR records | ✅ Performance, complaints, resignation notice | ✅ Policy violation history | ❌ Not needed |
| DLP alerts | ✅ Shows data exfiltration paths | ❌ Usually not applicable | ✅ Shows data exfiltration |
Forensic Acquisition Priority for Malicious Insider
- Memory capture (most volatile) —
dumpit.exeorwinpmem - Process and network state —
netstat -ano,tasklist /v - Disk image — forensic image, not a file copy. Use
ddor FTK Imager - Cloud data — preserve the user’s OneDrive, SharePoint, and email via legal hold
Phase 3: Investigation (1-4 hours)
Questions to Answer
| Question | Evidence Source | How to Determine |
|---|---|---|
| What data was accessed? | File server logs, DLP alerts, web proxy | List every file accessed, downloaded, or uploaded during the suspicious window |
| Who else was involved? | Communication logs, badge access, email | Were there colluders? Did the user communicate with anyone else about the data? |
| Where was the data sent? | Web proxy, email logs, USB logs, cloud storage logs | External destination IPs, cloud providers, email recipients |
| Was data deleted? | File audit logs, volume shadow copy, backup logs | Check deletion events, shadow copy deletion, backup integrity |
| When did the behavior start? | All logs | Build a timeline — one week of data staging looks different from one day |
| Is the data recoverable? | Backup logs, DLP quarantine | Can the exfiltrated data be recovered via backup, DLP quarantine, or legal action? |
Timeline Reconstruction
SPL query — build activity timeline for a specific user:
index=* UserName="target_user"
| eval EventType = case(
EventCode==4624, "Logon",
EventCode==4648, "Logon with explicit creds",
EventCode==4663, "File access",
EventCode==5140, "Share access",
match(source, "DLP"), "DLP alert",
1=1, "Other"
)
| table _time, EventType, ComputerName, ObjectName, AccessMask
| sort _timePhase 4: Response Actions (4-8 hours)
Malicious Insider — Response
| Action | Detail | Owner |
|---|---|---|
| HR notification | Inform HR — they guide the disciplinary process | SOC lead → HR |
| Legal notification | Legal handles evidence preservation, law enforcement contact, and civil action | HR → Legal |
| Account disablement | Disable the user’s AD account, revoke all access | SOC |
| Data recovery | Recover exfiltrated data from DLP quarantine or backup | IR team |
| Impact assessment | Identify all systems and data the user accessed | IR team |
| Access review | Review and revoke any privileges the user granted to others | SOC |
| Policy review | Identify controls that failed to prevent the incident | Security team |
Negligent Insider — Response
| Action | Detail | Owner |
|---|---|---|
| Manager notification | Inform manager — they handle the coaching/discipline | SOC → HR → Manager |
| Password reset | Require password change and MFA re-enrollment | SOC |
| Retraining | Assign targeted security training | HR / Security awareness |
| Access restrictions | Restrict access to sensitive data until training is complete | SOC |
| Policy review | Identify if unclear policies contributed to the negligence | Security team |
Compromised Insider — Follow Credential Theft Response
If the insider was compromised (credentials stolen), follow the credential theft incident response playbook. The user is a victim, not the attacker.
Phase 5: Hardening and Prevention
| Control | What It Prevents | Implementation |
|---|---|---|
| User and Entity Behavior Analytics (UEBA) | Early detection of anomalous behavior | SIEM-based UEBA module (Sentinel, Splunk UBA) |
| DLP with user monitoring | Data exfiltration detection | Endpoint DLP + network DLP + cloud DLP |
| Least privilege | Reduces malicious insider blast radius | Regular access reviews, JIT (Just-In-Time) access |
| Separation of duties | Prevents one person from controlling sensitive functions | Dual-approval for data access, admin actions |
| Data classification | Identifies which data to protect | Microsoft Purview, Boldon James, Titus |
| Watermarking/screen capture | Deters data theft via screenshots | Endpoint DLP with screen capture detection |
| Insider risk program | Structured program for insider threat lifecycle | Dedicated team or cross-functional working group |
Related
- Credential Theft Incident Response — detection and response for T1558.001, T1003.001, T1134 techniques
- Data Exfiltration Detection — detection and response for T1048, T1052 techniques
- Insider Threat — detection and response for T1078 techniques
- Privilege Escalation Investigation — detection and response for T1068 techniques
- SOC Analyst Skills — step-by-step soc analyst skills response procedures